the big question is: are we solely responsible for making sure they are secure
This doesn't make sense. If a miscreant can go to the operator and effectively hijack somebody's phone, what exactly is the end user supposed to do? Surely it is entirely the responsibility of the telco to verify (beyond any reasonable doubt) that the person making the demand is the legitimate owner.
I don't know about how things work in the US, but here in France the telco demands a copy of my passport/identity card, and it's a lot less hassle if you go to one of the telco shops so somebody can see that you match the identity photo. Also, when my mother lost her phone, the old SIM was blocked immediately, and after showing identification, she was told that a new SIM would be mailed by courier to the address on record (which was neither confirmed nor disclosed) and it would arrive in under a week (took three days). It's, you know, not hard...
Biting the hand that feeds IT
